May 12, 2023

Article 70. GDPR. Tasks of the Board

Articles

 

 

 

Author: Stephanie Schiedermair

 

  1. The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:

(a) monitor and ensure the correct application of this Regulation in the cases provided for in Arts. 64 and 65 without prejudice to the tasks of national supervisory authorities;

(b) advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Regulation;

(c) advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules;

(d) issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal data from publicly available communication services as referred to in Art. 17 para. 2;

(e) examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation;

(f) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant to Art. 22 para. 2;

(g) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing the personal data breaches and determining the undue delay referred to in Art. 33 paras. 1 and 2 and for the particular circumstances in which a controller or a processor is required to notify the personal data breach;

(h) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Art. 34 para. 1.

(i) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for personal data transfers based on binding corporate rules adhered to by controllers and binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned referred to in Art. 47;

(j) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal data transfers on the basis of Art. 49 para. 1;

(k) draw up guidelines for supervisory authorities concerning the application of measures referred to in Art. 58 paras. 1, 2, and 3 and the setting of administrative fines pursuant to Art. 83;

(l) review the practical application of the guidelines, recommendations and best practices referred to in points (e) and (f);

(m) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing common procedures for reporting by natural persons of infringements of this Regulation pursuant to Art. 54 para. 2;

(n) encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Arts. 40 and 42;

(o) carry out the accreditation of certification bodies and its periodic review pursuant to Art. 43 and maintain a public register of accredited bodies pursuant to Art. 43 para. 6 and of the accredited controllers or processors established in third countries pursuant to Art. 42 para. 7;

(p) specify the requirements referred to in Art. 43 para. 3 with a view to the accreditation of certification bodies under Art. 42;

(q) provide the Commission with an opinion on the certification requirements referred to in Art. 43 para. 8;

(r) provide the Commission with an opinion on the icons referred to in Art. 12 para. 7;

(s) provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the international organisation.

(t) issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Art. 64 para. 1, on matters submitted pursuant to Art. 64 para. 2 and to issue binding decisions pursuant to Art. 65, including in cases referred to in Art. 66;

(u) promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities;

(v) promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international organisations;

(w) promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide.

(x) issue opinions on codes of conduct drawn up at Union level pursuant to Art. 40 para. 9; and

(y) maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.

  1. Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter.
  2. The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Art. 93 and make them public.
  3. The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Art. 76, make the results of the consultation procedure publicly available.

 

I. Introduction

The EDPB is responsible for a varied range of tasks. The list of tasks to be performed by the Board as set out in Art. 70 proves to be non-exhaustive, as is evident from the wording of Art. 70 para. 1 sentence 2 (“in particular”). The current form of the list of duties set out in Art. 70, which was amended again as part of the trilogue procedure, is based on the proposal put forward by the Council.

 

II. Analysis

The Board acts either on its own initiative or at the request of the Comm. Within this context, the Board once again remains independent and is not bound by instructions in accordance with Art. 69. All other players, e.g. the Member States or individuals affected by data processing, must contact the national SAs. The Comm can only “request” that the Board take action. The decision as to the form in which the Board complies with this request is then at the discretion of the Board. The same applies to the Board’s activities pursuant to Art. 70 para. 1 lit. e. Within this context, the Board shall examine on its own initiative, on request of one of its members or on request of the Comm, any question covering the application of the GDPR and issue guidelines, recommendations and best practices in order to encourage consistent application of the GDPR. Given the Board’s considerable margin of discretion, its influence over data protection legislation in Europe remains to be seen in practice. The success of the GDPR in practice will depend, not least, on how the Board manages to implement the duties assigned to it in practice. So far, the Board has been active adopting guidelines to clarify and interpret the GDPR as well as giving guidance on important issues, such as Brexit. The EDPB is further releasing numerous opinions on consistency findings but has not made binding decisions so far.

The various tasks for which the Board is responsible all serve to ensure the consistent application of the GDPR, consistent application being one of the central aims of the GDPR. The mandatory tasks of the Board are listed in detail in Arts. 70 and 71. Variations of the following activities form part of the core tasks of the Board: first, the Board is obliged to issue opinions in the cases listed in Art. 64. Pursuant to Art. 64 para. 2, the Comm, any SA of a Member State and the Chair of the Board have the right to request opinions from the Board. This applies, in particular, if a competent SA does not comply with the obligations for mutual assistance in accordance with Art. 61 or for joint operations in accordance with Art. 62. The Board’s opinions are forwarded to the Comm and to the committee referred to in Art. 93 and are also made public. The urgency procedure allows any SA to request, pursuant to Art. 66 para. 2, an opinion or a binding decision from the Board, providing grounds for this request, if it believes that final measures must be adopted as a matter of urgency. Pursuant to Art. 66 para. 3, this also applies if a competent SA has not taken an appropriate measure in a situation where there is an urgent need to act in order to protect the rights and freedoms of data subjects. The opinions and decisions in the urgency procedure are adopted within two weeks with a simple majority of the members of the Board.

Another key aspect of the Board’s activity lies in advising the Comm on all matters relating to data protection. This also includes proposals for amendments to the GDPR. In addition, the Board advises the Comm on whether the level of data protection in a third country or international organisation can (still) be described as adequate (Art. 70 para. 1 lit. s). Regarding the EU-US Privacy Shield e.g., the EDPB – as well as the Art. 29 WP before – expressed its concerns on the “collection and access of personal data for national security purposes” by the US agencies. This issue had been the main reason why the CJEU later ruled the Privacy Shield illegitimate.

The Board provides the Comm with an opinion on such matters. In order to allow the Board to prepare its opinion, the Comm shall provide it with all of the necessary documentation. The Board also advises the Comm on which procedures can be used for the exchange of information between controllers and data protection authorities regarding the establishment of binding corporate rules. Where the Comm requests advice from the Board in urgent matters, it may set a time limit pursuant to Art. 70 para. 2.

 

 

 

 

[…]

 

 

 

 

 

 

Articles’ list